ClawHub

Dist

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory plugin, but it automatically stores and reuses conversation details with limited controls for sensitive data, scope, or deletion.

Install only if you intentionally want persistent local memory across chats. Before using it with private or regulated information, verify where the SQLite database is stored, how you can inspect and delete entries, whether automatic memory writing can be disabled, and whether the OpenClaw environment limits which agents or tools can list saved memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `memory_list` tool exposes bulk access to all stored memories, which creates a broad exfiltration surface for any caller that can invoke tools. In a memory plugin, retrieval should be scoped to relevant context or tightly filtered queries, not unrestricted listing of persistent user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly saves conversation-derived information into a local SQLite database but does not warn users that potentially sensitive personal or confidential data may be retained on disk. This can lead to unintended long-term storage of secrets, personal preferences, or private context, especially on shared machines or in environments without disk encryption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The extractor intentionally classifies and retains user-provided content, including potentially sensitive identity, age, and location facts, without any visible consent, minimization, or policy checks in this file. In a memory plugin, this creates a privacy risk because sensitive personal information may be persistently stored and later surfaced or leaked through prompts, logs, or downstream components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code stores combined conversation artifacts including the original full user problem and AI solution in metadata, which can capture secrets, personal data, credentials, or proprietary content far beyond what is needed for memory. Because the feature is explicitly a memory engine, retaining full conversational context increases the chance of long-term exposure, unintended recall, and secondary leakage to other users, tools, or logs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plugin automatically persists user message content after each turn into long-term local storage without any visible consent, notice, or opt-in gate. Because the filtering is minimal, sensitive personal data, secrets, or regulated information may be retained unexpectedly and later exposed through recall or tools.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The `memory_save` tool enables explicit persistent writes without any disclosure, confirmation, or policy checks in this file. A model or caller could save sensitive or manipulated content into durable memory, increasing privacy and prompt-injection risks over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In debug mode, the engine logs a substring of `record.content`, which may contain sensitive user memories, prompts, or personal data. Even though logging is gated by an environment variable, debug logging often ends up enabled in development, staging, or misconfigured production environments, creating an avoidable confidentiality risk through log files and observability systems.

Ssd 3

Medium
Confidence
95% confidence
Finding
The extractor preserves broad slices of user and AI messages and, in some cases, the complete original problem text and solution, creating a substantial natural-language data retention surface. If the memory store is later queried, exposed, logged, or shared across contexts, this retained text could leak sensitive personal details, security-relevant troubleshooting data, or embedded secrets.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill stores user-provided content into long-term memory automatically, but only filters out very limited patterns such as long digit strings and simple greetings. This is insufficient to prevent storage of credentials, personal identifiers, health data, financial data, or other sensitive content that may later be retrieved or leaked.

Ssd 3

Medium
Confidence
95% confidence
Finding
The recall flow injects previously stored memories directly into the system prompt as plain text under `[相关记忆]`. If stored content contains sensitive data or adversarial prompt text, this can leak private information to downstream model outputs and can also create a prompt-injection channel from untrusted stored memory into privileged instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal